envsdotnet-matrix-conf/etc/matrix-media-repo/media-repo.yaml

# General repo configuration
repo:
  bindAddress: '127.0.0.1'
  port: 8000

  # Where to store the logs, relative to where the repo is started from. Logs will be automatically
  # rotated every day and held for 14 days. To disable the repo logging to files, set this to
  # "-" (including quotation marks).
  #
  # Note: to change the log directory you'll have to restart the repository. This setting cannot be
  # live reloaded.
  logDirectory: /var/log/matrix-media

  # Set to true to enable color coding in your logs. Note that this may cause escape sequences to
  # appear in logs which render them unreadable, which is why colors are disabled by default.
  logColors: false

  # Set to true to enable JSON logging for consumption by things like logstash. Note that this is
  # incompatible with the log color option and will always render without colors.
  jsonLogs: false

  # The log level to log at. Note that this will need to be at least "info" to receive support.
  #
  # Values (in increasing spam): panic | fatal | error | warn | info | debug | trace
  logLevel: "warn"

  # If true, the media repo will accept any X-Forwarded-For header without validation. In most cases
  # this option should be left as "false". Note that the media repo already expects an X-Forwarded-For
  # header, but validates it to ensure the IP being given makes sense.
  trustAnyForwardedAddress: false

  # If false, the media repo will not use the X-Forwarded-Host header commonly added by reverse proxies.
  # Typically this should remain as true, though in some circumstances it may need to be disabled.
  # See https://github.com/t2bot/matrix-media-repo/issues/202 for more information.
  useForwardedHost: true

  # If true, media uploaded or cached from that point forwards will require authentication in order to
  # be accessed. Media uploaded or cached prior will remain accessible on the unauthenticated endpoints.
  # If set to false after being set to true, media uploaded or cached while the flag was true will still
  # only be accessible over authenticated endpoints, though future media will be accessible on both
  # authenticated and unauthenticated media.
  #
  # This flag currently defaults to false. A future release, likely in August 2024, will remove this flag
  # and have the same effect as it being true (always on). This flag is primarily intended for servers to
  # opt-in to the behaviour early.
  freezeUnauthenticatedMedia: false

# Options for dealing with federation
federation:
  # On a per-host basis, the number of consecutive failures in calling the host before the
  # media repo will back off. This defaults to 20 if not given. Note that 404 errors from
  # the remote server do not count towards this.
  backoffAt: 20

  # The domains the media repo should never serve media for. Existing media already stored from
  # these domains will remain, however will not be downloadable without a data export. Media
  # repo administrators will bypass this check. Admin APIs will still work for media on these
  # domains.
  #
  # This will not prevent the listed domains from accessing media on this media repo - it only
  # stops users on *this* media repo from accessing media originally uploaded to the listed domains.
  #
  # Note: Adding domains controlled by the media repo itself to this list is not advisable.
  ignoredHosts:
    - example.org

# The database configuration for the media repository
# Do NOT put your homeserver's existing database credentials here. Create a new database and
# user instead. Using the same server is fine, just not the same username and database.
database:
  # Currently only "postgres" is supported.
  postgres: "postgres://matrix:xxx@localhost/matrixmedia?sslmode=disable"

  # The database pooling options
  pool:
    # The maximum number of connects to hold open. More of these allow for more concurrent
    # processes to happen.
    maxConnections: 25

    # The maximum number of connects to leave idle. More of these reduces the time it takes
    # to serve requests in low-traffic scenarios.
    maxIdleConnections: 5

# The configuration for the homeservers this media repository is known to control. Servers
# not listed here will not be able to upload media.
homeservers:
  - # Keep the dash from this line.

    # This should match the server_name of your homeserver, and the Host header
    # provided to the media repo.
    name: envs.net

    # The base URL to where the homeserver can actually be reached by MMR.
    csApi: "https://matrix.envs.net/"

    # The number of consecutive failures in calling this homeserver before the
    # media repository will start backing off. This defaults to 10 if not given.
    backoffAt: 10

    # The admin API interface supported by the homeserver. MMR uses a subset of the admin API
    # during certain operations, like attempting to purge media from a room or validating server
    # admin status. This should be set to one of "synapse", "dendrite", or "matrix". When set
    # to "matrix", most functionality requiring the admin API will not work.
    adminApiKind: "synapse"

    # The signing key to use for authorizing outbound federation requests. If not specified,
    # requests will not be authorized. See https://docs.t2bot.io/matrix-media-repo/v1.3.5/installation/signing-key/
    # for details.
    signingKeyPath: "/etc/matrix-media-repo/mmr.signing.key"

# Options for controlling how access tokens work with the media repo. It is recommended that if
# you are going to use these options that the `/logout` and `/logout/all` client-server endpoints
# be proxied through this process. They will also be called on the homeserver, and the response
# sent straight through the client - they are simply used to invalidate the cache faster for
# a particular user. Without these, the access tokens might still work for a short period of time
# after the user has already invalidated them.
#
# This will also cache errors from the homeserver.
#
# Note that when this config block is used outside of a per-domain config, all hosts will be
# subject to the same cache. This also means that application services on limited homeservers
# could be authorized on the wrong domain.
#
# ***************************************************************************
# *  IT IS HIGHLY RECOMMENDED TO USE PER-DOMAIN CONFIGS WITH THIS FEATURE.  *
# ***************************************************************************
accessTokens:
  # The maximum time a cached access token will be considered valid. Set to zero (the default)
  # to disable the cache and constantly hit the homeserver. This is recommended to be set to
  # 43200 (12 hours) on servers with the logout endpoints proxied through the media repo, and
  # zero for servers who do not proxy the endpoints through.
  maxCacheTimeSeconds: 0

  # Whether or not to use the `appservices` config option below. If disabled (the default),
  # the regular access token cache will be used for each user, potentially leading to high
  # memory usage.
  useLocalAppserviceConfig: false

  # The application services (and their namespaces) registered on the homeserver. Only used
  # if `useLocalAppserviceConfig` is enabled (recommended).
  #
  # Usually the appservice will provide you with these config details - they'll just need
  # translating from the appservice registration to here. Note that this does not require
  # all options from the registration, and only requires the bare minimum required to run
  # the media repo.
  appservices:
    - id: Name_of_appservice_for_your_reference
      asToken: Secret_token_for_appservices_to_use
      senderUserId: "@_example_bridge:envs.net"
      userNamespaces:
        - regex: "@_example_bridge_.+:envs.net"
          # A note about regexes: it is best to suffix *all* namespaces with the homeserver
          # domain users are valid for, as otherwise the appservice can use any user with
          # any domain name it feels like, even if that domain is not configured with the
          # media repo. This will lead to inaccurate reporting in the case of the media
          # repo, and potentially leading to media being considered "remote".

# These users have full access to the administrative functions of the media repository.
# See docs/admin.md for information on what these people can do. They must belong to one of the
# configured homeservers above.
admins:
  - "@creme:envs.net"

# Shared secret auth is useful for applications building on top of the media repository, such
# as a management interface. The `token` provided here is treated as a repository administrator
# when shared secret auth is enabled: if the `token` is used in place of an access token, the'
# request will be authorized. This is not limited to any particular domain, giving applications
# the ability to use it on any configured hostname.
sharedSecretAuth:
  # Set this to true to enable shared secret auth.
  enabled: false

  # Use a secure value here to prevent unauthorized access to the media repository.
  token: "PutSomeRandomSecureValueHere"

# Datastores are places where media should be persisted. This isn't dedicated for just uploads:
# thumbnails and other misc data is also stored in these places. The media repo, when looking
# for a datastore to use, will always use the smallest datastore first.
datastores:
  - type: file
    id: "b2ca79fa0b75955e59e52d2286a30f4c8e053d72"
    # Datastores can be split into many areas when handling uploads. Media is still de-duplicated
    # across all datastores (local content which duplicates remote content will re-use the remote
    # content's location). This option is useful if your datastore is becoming very large, or if
    # you want faster storage for a particular kind of media.
    #
    # The kinds available are:
    #   thumbnails    - Used to store thumbnails of media (local and remote).
    #   remote_media  - Original copies of remote media (servers not configured by this repo).
    #   local_media   - Original uploads for local media.
    #   archives      - Archives of content (GDPR and similar requests).
    forKinds: ["all"]
    opts:
      path: /var/matrix-media

# Options for controlling archives. Archives are exports of a particular user's content for
# the purpose of GDPR or moving media to a different server.
archiving:
  # Whether archiving is enabled or not. Default enabled.
  enabled: true
  # If true, users can request a copy of their own data. By default, only repository administrators
  # can request a copy.
  # This includes the ability for homeserver admins to request a copy of their own server's
  # data, as known to the repo.
  selfService: false
  # The number of bytes to target per archive before breaking up the files. This is independent
  # of any file upload limits and will require a similar amount of memory when performing an export.
  # The file size is also a target, not a guarantee - it is possible to have files that are smaller
  # or larger than the target. This is recommended to be approximately double the size of your
  # file upload limit, provided there is enough memory available for the demand of exporting.
  targetBytesPerPart: 209715200 # 200mb default

# The file upload settings for the media repository
uploads:
  # The maximum individual file size a user can upload.
  maxBytes: 104857600 # 100MB default, 0 to disable

  # The minimum number of bytes to let people upload. This is recommended to be non-zero to
  # ensure that the "cost" of running the media repo is worthwhile - small file uploads tend
  # to waste more CPU and database resources than small files, thus a default of 100 bytes
  # is applied here as an approximate break-even point.
  minBytes: 100 # 100 bytes by default

  # The number of bytes to claim as the maximum size for uploads for the limits API. If this
  # is not provided then the maxBytes setting will be used instead. This is useful to provide
  # if the media repo's settings and the reverse proxy do not match for maximum request size.
  # This is purely for informational reasons and does not actually limit any functionality.
  # Set this to -1 to indicate that there is no limit. Zero will force the use of maxBytes.
  #reportedMaxBytes: 104857600

  # The number of pending uploads a user is permitted to have at a given time. They must cancel,
  # complete, or otherwise let pending requests expire before uploading any more media. Set to
  # zero to disable.
  maxPending: 5

  # The duration the server will wait to receive media that was asynchronously uploaded before
  # expiring it entirely. This should be set sufficiently high for a client on poor connectivity
  # to upload something. The Matrix specification recommends 24 hours (86400 seconds), however
  # this project recommends 30 minutes (1800 seconds).
  maxAgeSeconds: 1800

  # Options for limiting how much content a user can upload. Quotas are applied to content
  # associated with a user regardless of de-duplication. Quotas which affect remote servers
  # or users will not take effect. When a user exceeds their quota they will be unable to
  # upload any more media.
  quotas:
    # Whether quotas are enabled/enforced. Note that even when disabled the media repo will
    # track how much media a user has uploaded. Quotas are disabled by default.
    enabled: false

    # The upload quota rules which affect users. The first rule to match the user ID will take
    # effect. If a user does not match a rule, the defaults implied by the above config will
    # take effect instead. The user will not be permitted to upload anything above these quota
    # values, but can match them exactly.
    users:
      - glob: "@*:*"  # Affect all users. Use asterisks (*) to match any character.
        # The maximum number of TOTAL bytes a user can upload. Defaults to zero (no limit).
        maxBytes: 53687063712 # 50gb
        # The same as maxPending above - the number of uploads the user can have waiting to
        # complete before starting another one. Defaults to maxPending above. Set to 0 to
        # disable.
        maxPending: 5
        # The maximum number of uploaded files a user can have. Defaults to zero (no limit).
        # If both maxBytes and maxFiles are in use then the first condition a user triggers
        # will prevent upload. Note that a user can still have uploads contributing to maxPending,
        # but will not be able to complete them if they are at maxFiles.
        maxFiles: 0

# Settings related to downloading files from the media repository
downloads:
  # The maximum number of bytes to download from other servers
  #maxBytes: 104857600 # 100MB default, 0 to disable
  maxBytes: 268435456 # 256

  # The number of workers to use when downloading remote media. Raise this number if remote
  # media is downloading slowly or timing out.
  #
  # Maximum memory usage = numWorkers multiplied by the maximum download size
  # Average memory usage is dependent on how many concurrent downloads your users are doing.
  numWorkers: 10

  # How long, in minutes, to cache errors related to downloading remote media. Once this time
  # has passed, the media is able to be re-requested.
  failureCacheMinutes: 5

  # How many days after a piece of remote content is downloaded before it expires. It can be
  # re-downloaded on demand, this just helps free up space in your datastore. Set to zero or
  # negative to disable. Defaults to disabled.
  expireAfterDays: 90

  # The default size, in bytes, to return for range requests on media. Range requests are used
  # by clients when they only need part of a file, such as a video or audio element. Note that
  # the entire file will still be cached (if enabled), but only part of it will be returned.
  # If the client requests a larger or smaller range, that will be honoured.
  defaultRangeChunkSizeBytes: 10485760 # 10MB default

# URL Preview settings
urlPreviews:
  enabled: true # If enabled, the preview_url routes will be accessible
  maxPageSizeBytes: 10485760 # 10MB default, 0 to disable

  # If true, the media repository will try to provide previews for URLs with invalid or unsafe
  # certificates. If false (the default), the media repo will fail requests to said URLs.
  previewUnsafeCertificates: false

  # Note: URL previews are limited to a given number of words, which are then limited to a number
  # of characters, taking off the last word if it needs to. This also applies for the title.

  numWords: 50 # The number of words to include in a preview (maximum)
  maxLength: 200 # The maximum number of characters for a description

  numTitleWords: 30 # The maximum number of words to include in a preview's title
  maxTitleLength: 150 # The maximum number of characters for a title

  # The mime types to preview when OpenGraph previews cannot be rendered. OpenGraph previews are
  # calculated on anything matching "text/*". To have a thumbnail in the preview the URL must be
  # an image and the image's type must be allowed by the thumbnailer.
  filePreviewTypes:
    - "image/*"

  # The number of workers to use when generating url previews. Raise this number if url
  # previews are slow or timing out.
  #
  # Maximum memory usage = numWorkers multiplied by the maximum page size
  # Average memory usage is dependent on how many concurrent urls your users are previewing.
  numWorkers: 10

  # Either allowedNetworks or disallowedNetworks must be provided. If both are provided, they
  # will be merged. URL previews will be disabled if neither is supplied. Each entry must be
  # a CIDR range.
  disallowedNetworks:
    - "127.0.0.1/8"
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"
    - "100.64.0.0/10"
    - "169.254.0.0/16"
    - '::1/128'
    - 'fe80::/64'
    - 'fc00::/7'
  allowedNetworks:
    - "0.0.0.0/0" # "Everything". The deny list will help limit this.
                  # This is the default value for this field.

  # How many days after a preview is generated before it expires and is deleted. The preview
  # can be regenerated safely - this just helps free up some space in your database. Set to
  # zero or negative to disable. Defaults to disabled.
  expireAfterDays: 90

  # The default Accept-Language header to supply when generating URL previews when one isn't
  # supplied by the client.
  # Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
  defaultLanguage: "en-US,en"

  # Set the User-Agent header to supply when generating URL previews
  userAgent: "matrix-media-repo"

  # When true, oEmbed previews will be enabled. Typically, these kinds of previews are used for
  # sites that do not support OpenGraph or page scraping, such as Twitter. For information on
  # specifying providers for oEmbed, including your own, see the following documentation:
  # https://docs.t2bot.io/matrix-media-repo/url-previews/oembed.html
  # Defaults to disabled.
  oEmbed: true

# The thumbnail configuration for the media repository.
thumbnails:
  # The maximum number of bytes an image can be before the thumbnailer refuses.
  maxSourceBytes: 10485760 # 10MB default, 0 to disable

  # The maximum number of pixels an image can have before the thumbnailer refuses. Note that
  # this only applies to image types: file types like audio and video are affected solely by
  # the maxSourceBytes.
  maxPixels: 96000000 # 32M default

  # The number of workers to use when generating thumbnails. Raise this number if thumbnails
  # are slow to generate or timing out.
  #
  # Maximum memory usage = numWorkers multiplied by the maximum image source size
  # Average memory usage is dependent on how many thumbnails are being generated by your users
  numWorkers: 100

  # All thumbnails are generated into one of the sizes listed here. The first size is used as
  # the default for when no width or height is requested. The media repository will return
  # either an exact match or the next largest size of thumbnail.
  sizes:
    - width: 32
      height: 32
    - width: 96
      height: 96
    - width: 320
      height: 240
    - width: 640
      height: 480
    - width: 768   # This size is primarily used for audio thumbnailing.
      height: 240
    - width: 800
      height: 600

  # To allow for thumbnails to be any size, not just in the sizes specified above, set this to
  # true (default false). When enabled, whatever size requested by the client will be generated
  # up to a maximum of the largest possible dimensions in the `sizes` list. For best results,
  # specify only one size in the `sizes` list when this option is enabled.
  dynamicSizing: false

  # The content types to thumbnail when requested. Types that are not supported by the media repo
  # will not be thumbnailed (adding application/json here won't work). Clients may still not request
  # thumbnails for these types - this won't make clients automatically thumbnail these file types.
  types:
    - "image/jpeg"
    - "image/jpg"
    - "image/png"
    - "image/apng"
    - "image/gif"
    - "image/heif"
    - "image/heic"
    - "image/webp"
    - "image/bmp"
    - "image/tiff"
    - "image/svg+xml" # Be sure to have ImageMagick installed to thumbnail SVG files
    - "audio/mpeg"
    - "audio/ogg"
    - "audio/wav"
    - "audio/flac"
    - "video/mp4" # Be sure to have ffmpeg installed to thumbnail video files

  # Animated thumbnails can be CPU intensive to generate. To disable the generation of animated
  # thumbnails, set this to false. If disabled, regular thumbnails will be returned.
  allowAnimated: true

  # Default to animated thumbnails, if available
  defaultAnimated: false

  # The maximum file size to thumbnail when a capable animated thumbnail is requested. If the image
  # is larger than this, the thumbnail will be generated as a static image.
  maxAnimateSizeBytes: 10485760 # 10MB default, 0 to disable

  # On a scale of 0 (start of animation) to 1 (end of animation), where should the thumbnailer try
  # and thumbnail animated content? Defaults to 0.5 (middle of animation).
  stillFrame: 0.5

  # How many days after a thumbnail is generated before it expires and is deleted. The thumbnail
  # can be regenerated safely - this just helps free up some space in your datastores. Set to
  # zero or negative to disable. Defaults to disabled.
  expireAfterDays: 90


# Controls for the rate limit functionality
rateLimit:
  # Set this to false if rate limiting is handled at a higher level or you don't want it enabled.
  enabled: false

  # The number of requests per second before an IP will be rate limited. Must be a whole number.
  requestsPerSecond: 1

  # The number of requests an IP can send at once before the rate limit is actually considered.
  burst: 10

  # The 'leaky bucket' configurations for MMR. Leaky buckets are limited in size and have a slow
  # drain rate, minimizing the ability for a user to consume large amounts of resources.
  #
  # Buckets are checked and applied after the requests per second configuration above. Buckets are
  # disabled when rate limiting is disabled.
  #
  # Note: buckets are *not* shared across processes. If download requests could end up at two different
  # processes, two different buckets may be filled. This behaviour may change in the future.
  buckets:
    # The download bucket applies to both download requests and thumbnail requests. Each anonymous
    # user is assigned a single bucket from their IP address. Authenticated requests (when supported)
    # will use the authenticated entity as the subject - either a user or remote server.
    downloads:
      # The maximum size of each bucket.
      capacityBytes: 524288000 # 500mb default
      # The number of bytes to "drain" from the bucket every minute.
      drainBytesPerMinute: 5242880 # 5mb default
      # The number of bytes a requester can go over the capacity, once. This is used to give some
      # buffer to allow a single file to be downloaded when the caller is near the limit. This
      # should be set to either your max remote download size or 30% of the capacityBytes, whichever
      # is smaller.
      overflowLimitBytes: 268435456 # 100mb default (the same as the default remote download maxBytes)


# Identicons are generated avatars for a given username. Some clients use these to give users a
# default avatar after signing up. Identicons are not part of the official matrix spec, therefore
# this feature is completely optional.
identicons:
  enabled: true

# The quarantine media settings.
quarantine:
  # If true, when a thumbnail of quarantined media is requested an image will be returned. If no
  # image is given in the thumbnailPath below then a generated image will be provided. This does
  # not affect regular downloads of files.
  replaceThumbnails: true

  # If true, when media which has been quarantined is requested an image will be returned. If
  # no image is given in the thumbnailPath below then a generated image will be provided. This
  # will replace media which is not an image (ie: quarantining a PDF will replace the PDF with
  # an image).
  replaceDownloads: false

  # If provided, the given image will be returned as a thumbnail for media that is quarantined.
  # The recommended size is at least 512x512.
  #thumbnailPath: "/path/to/thumbnail.png"

  # If true, administrators of the configured homeservers may quarantine media for their server
  # only. Global administrators can quarantine any media (local or remote) regardless of this
  # flag.
  allowLocalAdmins: true

# The various timeouts that the media repo will use.
timeouts:
  # The maximum amount of time the media repo should spend trying to fetch a resource that is
  # being previewed.
  urlPreviewTimeoutSeconds: 30

  # The maximum amount of time the media repo will spend making remote requests to other repos
  # or homeservers. This is primarily used to download media.
  federationTimeoutSeconds: 120

  # The maximum amount of time the media repo will spend talking to your configured homeservers.
  # This is usually used to verify a user's identity.
  clientServerTimeoutSeconds: 30

# Prometheus metrics configuration
# For an example Grafana dashboard, import the following JSON:
# https://github.com/t2bot/matrix-media-repo/blob/main/docs/grafana.json
metrics:
  # If true, the bindAddress and port below will serve GET /metrics for Prometheus to scrape.
  enabled: true

  # The address to listen on. Typically "127.0.0.1" or "0.0.0.0" for all interfaces.
  bindAddress: "0.0.0.0"

  # The port to listen on. Cannot be the same as the general web server port.
  port: 9001

# Options for controlling various MSCs/unstable features of the media repo
# Sections of this config might disappear or be added over time. By default all
# features are disabled in here and must be explicitly enabled to be used.
featureSupport:
  # No unstable features are currently supported.

# Support for redis as a cache mechanism
#
# Note: Enabling Redis support will mean that the existing cache mechanism will do nothing.
# It can be safely disabled once Redis support is enabled.
#
# See docs/redis.md for more information on how this works and how to set it up.
redis:
  # Whether or not use Redis instead of in-process caching.
  enabled: true

  # The database number to use. Leave at zero if using a dedicated Redis instance.
  databaseNumber: 15

  # The Redis shards that should be used by the media repo in the ring. The names of the
  # shards are for your reference and have no bearing on the connection, but must be unique.
  shards:
    - name: "127.0.0.1"
      addr: ":6379"

# Optional sentry (https://sentry.io/) configuration for the media repo
sentry:
  # Whether or not to set up error reporting. Defaults to off.
  enabled: false

  # Get this value from the setup instructions in Sentry
  dsn: "https://examplePublicKey@ingest.sentry.io/0"

  # Optional environment flag. Defaults to an empty string.
  environment: ""

  # Whether or not to turn on sentry's built in debugging. This will increase log output.
  debug: false

# Configuration for the internal tasks engine in the media repo. Note that this only applies
# to the media repo process with machine ID zero (the default in single-instance mode).
#
# Tasks include things like data imports/exports.
tasks:
  # The number of workers to have available for tasks. Defaults to 5.
  numWorkers: 5

# Options for collecting PGO-compatible CPU profiles and submitting them to a hosted pgo-fleet
# server. See https://github.com/t2bot/pgo-fleet for collection/more detail.
#
# If you process more than 1Hz of requests or have more than a dozen media repos deployed, please
# get in contact with `@travis:t2l.io` to submit profiles directly to MMR. Submitted profiles are
# used to improve the build speed for everyone.
pgo:
  # Whether collection is enabled. Defaults to false.
  enabled: false

  # The pgo-fleet submit URL.
  submitUrl: "https://pgo-mmr.t2host.io/v1/submit"

  # The pgo-fleet submit key.
  submitKey: "INSERT_VALUE_HERE"